Most SMBs do not have a written incident-response plan. They will, eventually, because regulators, insurers, or larger customers will require one. The question is just whether it gets written this month, calmly, or under deadline at 2 a.m. mid-incident.
The minimum-viable runbook fits on four pages. Page one: contact list — internal decision-makers, IT provider, cyber insurer, forensic provider, legal counsel. Page two: triage decision tree — what is the situation, what's affected, what's the immediate containment action. Page three: communication plan — who needs to know what, in what order, in what tone. Page four: regulatory obligations — the 72-hour ASD ransomware-payment reporting line, OAIC notifiable data breach scheme triggers, sector-specific obligations.
It's not a complete incident-response programme. It's the artefact that prevents the worst version of an incident, which is the one where decisions get made without information and communications go out without alignment.